[libvirt] unable to set security context (NFSv4 problem?)

Spencer Shimko spencer at beyondabstraction.net
Wed Apr 21 18:24:18 UTC 2010


Harald Dunkel wrote:
> Hi Spencer,
> 
> I could reproduce the EINVAL on the command line:
> 
> 	srvl022:/storage# touch /storage/x
> 	srvl022:/storage# chown 110:140 /storage/x
> 	chown: changing ownership of `/storage/x': Invalid argument
> 
> 110 and 140 are not valid UIDs and GIDs on the NFS
> server. They are defined in the local passwd/group files
> on the libvirt server only. After defining the user and
> group on the NFS server the error message is gone.
> 
> Obviously NFSv4 is a little bit picky about remote root
> users trying to change the ownership of files. This seems
> to break qemuSecurityDACSetOwnership() in qemu_security_dac.c,
> giving me the "unable to set security context" message.
> 
> Do you think it would be possible to introduce a configure
> option '--with-dac=no'?

I think that would be a little misleading ;)  It sounds like part of the 
problem was that the error message wasn't clearly conveying the reason 
for the problem.  It wasn't an SELinux security context that was causing 
issues, it was DAC user/group.  I just submitted a patch to clarify the 
error message to reference user/group instead of "security context."

--Spencer
> 
> 
> Regards
> 
> Harri




More information about the libvir-list mailing list